As botnets break boundaries, banishing them requires new technology

Scale and sophistication of invasion calls for proactive monitoring and deterrence

 
Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Arguably, the sin­gle biggest rea­son cyber attacks remain unstop­pable is because our own com­put­ing devices sup­ply the bad guys’ pro­cess­ing power—as part of bot­nets.

A bot is a com­put­ing nod­ule infect­ed with a small bit of cod­ing that caus­es it to obey instruc­tions from a com­mand and con­trol serv­er. A bot­net is a net­work of thou­sands upon thou­sands of bots under con­trol of an attack­er.

Relat­ed video: What you should know about bat­tling bot­nets

Bot­nets are con­tin­u­al­ly replen­ished. Infec­tions lurk every­where: in email-borne attach­ments and web links; in social media post­ings; on pop­u­lar and obscure web pages.

The care, feed­ing and deploy­ment of bot­nets has grown into a multi­bil­lion-dol­lar crim­i­nal enter­prise. Crim­i­nal rings use bot­nets to spread spam, dis­trib­ute phish­ing scams, launch denial of ser­vice attacks, infil­trate and plun­der net­works, exe­cute wire fraud and more. Bot­nets are the engine of cyber crime.

Third­Cer­tain­ty recent­ly asked Rami Essaid, CEO of Dis­til Net­works, about the cur­rent state of bot­net activ­i­ties. Dis­til is in the van­guard of secu­ri­ty start-ups focused on mon­i­tor­ing and deter­ring bot­net traf­fic. This text has been edit­ed for clar­i­ty and length.

3C: Dis­til is focused on detect­ing bots oper­at­ing in browsers. Can you tell us about that?

Rami Essaid, Distil Networks CEO
Rami Essaid, Dis­til Net­works CEO

Essaid: Bots have got­ten to be a lot more sophis­ti­cat­ed. Instead of just being a script on the com­put­er that’s run­ning in the back­ground, they’re now embed­ded in the actu­al web brows­er, which gives them access to things like the cook­ies, run­ning Java script. They can even emu­late mouse move­ments in cer­tain cas­es. And so what ends up hap­pen­ing is they become much hard­er to detect.

3C: What does this enable the attack­er to accom­plish?

Essaid: The biggest spike we saw in 2016 was in account takeovers. So think about the past cou­ple of years; you’ve had Ash­ley Madi­son, Tar­get, LinkedIn, all these dif­fer­ent breach­es. There’s lit­er­al­ly close to a bil­lion user names and pass­words out there in the wild. The bad guys are not going through them one by one; they’re load­ing them up in the bots, and see­ing what else they can access … not just on social media, but on bank accounts, on e-com­merce sites, on all these dif­fer­ent insti­tu­tions. Account fraud is going through the roof.

3C: Can you walk us through it?

Essaid: I’ll give you a real-life cus­tomer exam­ple. Stub­Hub, they’re a sub­sidiary of eBay. They have tick­ets on their web­site. They have mon­ey in people’s accounts. What the bad guys are doing is try­ing to get access to that mon­ey, that cash bal­ance that’s sit­ting in those accounts. So they try user names and pass­words. They load them up to dis­trib­uted bots, and then they run those bots to see which accounts those bots can get into. Once they can get in, then it kicks it off to anoth­er team and there is an auto­mat­ed bot that is respon­si­ble for clear­ing out the account. And they do it in a very, very intel­li­gent way.

3C: Two sep­a­rate bot­nets work­ing in tan­dem?

Essaid: Yes. It’s a sys­tem­ized process. One is an account check­er, one is an account emp­ti­er.

rami-essaid-interview3C: Aren’t bot­nets also used to steal the logons in the first place?

Essaid: Often­times bots are doing the data theft to get these user names and pass­words. It’s like the 15 degrees of bots. Any direc­tion you go, it leads back to this tool that’s at the cen­ter­piece of it all.

3C: What’s being done to mit­i­gate bot­nets?

Essaid: It’s an arms race. The bots are get­ting smarter every day. So we as a ven­dor have to con­tin­ue to add more engi­neer­ing resources to this fight. We are see­ing traf­fic across not just one cus­tomer but our entire net­work. We’re cor­re­lat­ing that infor­ma­tion. We’re look­ing for anom­alies. Some­thing feels off.

The machine learn­ing algo­rithms will inter­cept that traf­fic and chal­lenge it with some sort of test. We’re talk­ing about dozens of dif­fer­ent data points that are all being cor­re­lat­ed togeth­er with a cou­ple of dif­fer­ent machine learn­ing algo­rithms to find a high like­li­hood that we will feel real­ly con­fi­dent that it’s a bot.

3C: What about the human com­po­nent?

Essaid: We have data sci­en­tists who are build­ing new clas­si­fiers. They’re con­stant­ly look­ing for new pat­terns, new things that we can key off of to try to find bots. Then we have ana­lysts who look at web traf­fic and work with our biggest cus­tomers. And they try to find things our sys­tem missed. They uncov­er cer­tain pat­terns, and they kick that over to the data sci­ence team or they can write cus­tom rules and deploy that net­work­wide. When they find a bot that we haven’t seen before, they can write an instant patch for our entire sys­tem and push that out glob­al­ly.

3C: Will the good guys gain ground, mov­ing ahead?

Essaid: Well, the bad guys are evolv­ing, and we as a com­pa­ny have a real­ly good han­dle on web appli­ca­tions. Unfor­tu­nate­ly, the OTA did a sur­vey of all the big sites out there and they found that very few of them have sophis­ti­cat­ed bot detec­tions. So we have a lot of work to do on our end.

More sto­ries about bot­nets and ran­somware:
Why more attacks lever­ag­ing the Inter­net of Things are inevitable
Hack­ers manip­u­late domain names to spread mal­ware
Despite pre­cau­tions, DDoS attacks becom­ing more dire, dam­ag­ing